Transfer of personal data to third countries or international organisations
Requirements for the transfer of personal data to third countries or international organisations
The previous requirements for the lawful transfer of personal data to third countries (outside the European Union and the Economic European Area – «EEA») are confirmed, apart from some exceptions.
Data can be transferred to third countries or international organisations if at least one of the following applies:
a. adequacy of the third country determined by a decision of the European Commission
b. in the absence of decision of adequacy of the Commission, the controllers and processors involved may transfer personal data if appropriate safeguards are put in place, such as:
a. binding corporate rules («BCRs»)
b. standard data protection clauses adopted by the Commission for the transfer from a controller to a controller and from a controller to a processor
c. in the absence of any other requirement, there are derogations for specific situations, such as the data subject’s consent, or when data processing is necessary for the performance of a contract or for the establishment, exercise or defence of legal claims.
Transfer on the basis of an adequacy decision
The adequacy decisions issued by the Commission (that is the level of protection in third countries, including the «Privacy Shield») as well as the international agreements and decisions issued before the 24th May 2016 by the Member States shall remain valid until amended, replaced or repealed. This means that the national authorisations issued by the supervisory authorities after the adequacy decisions of the Commission are still in force.
So far, the adequacy decisions in force concern the following countries: Andorra, Argentina, Australia – PNR, Canada, Faer Oer, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, Japan. As for the EEA, the decisions concern Norway, Liechtenstein, Island.
Binding Corporate Rules («BCRs»)
The GDPR determines the requirements for the approval of the binding corporate rules and what they shall specify. The list provided by the GDPR is not exhaustive; therefore, the competent authorities may issue further requirements, as appropriate. However, the approval flow is quite complex and the European Data Protection Board («EDPB») shall be involved.
Transfer subject to appropriate safeguards
In addition to the binding corporate rules, appropriate safeguards include the standard contractual clauses issued by the European Commission for transfers from EU controller to extra-EU controller and from EU controller to extra-EU processor. The clauses already issued are still in force. It is the most widely adopted mechanism for the transfer of personal data to third countries. The «Privacy Shield» is also considered a suitable safeguard. The GDPR has added to these appropriate safeguards the adherence to an approved code of conduct or an approved certification mechanism.
Derogations for specific situations
In the absence of the previously mentioned requirements, the transfer of personal data to third countries may be carried out with the data subject’s consent or if the transfer is necessary for the performance of a contract between the controller and the person or for the implementation of pre-contractual measures taken at the data subject’s request. Personal data may be transferred also if necessary for the establishment, exercise or defence of legal claims or for important reasons of public interest and for the protection of the vital interests of the data subject or of other persons and the data subject is physically or legally incapable of giving consent.
What has changed with the GDPR
The GDPR introduces the codes of conduct and the certification mechanism which may be produced as an appropriate safeguard. Besides, no authorisation by the supervisory authority is required. This means that the transfer to an adequate third country based on a Commission decision or on the basis of the standard contractual clauses adopted or of the BCRs may take place without the supervisory authority’s prior authorisation. The supervisory authority’s prior authorisation shall be necessary if the controller intends to use specific contractual clauses (that is clauses which are different from the clauses issued by the European Commission) or for administrative arrangements between public authorities.